The 'Worm' That Could Bring Down The Internet

Mark Bowden is the author of several books, including Black Hawk Down, Killing Pablo: The Hunt for the World's Greatest Outlaw and Guests of the Ayatollah.

Courtesy of the author

Listen

Listening...

/

Originally published on September 29, 2011 8:47 am

For the past three years, a highly encrypted computer worm called Conficker has been spreading rapidly around the world. As many as 12 million computers have been infected with the self-updating worm, a type of malware that can get inside computers and operate without their permission.

"What Conficker does is penetrate the core of the [operating system] of the computer and essentially turn over control of your computer to a remote controller," writer Mark Bowden tells Fresh Air's Terry Gross. "[That person] could then utilize all of these computers, including yours, that are connected. ... And you have effectively the largest, most powerful computer in the world."

The gigantic networked system created by the Conficker worm is what's known as a "botnet." The Conficker botnet is powerful enough to take over computer networks that control banking, telephones, security systems, air traffic control and even the Internet itself, says Bowden. His new book, Worm: The First Digital World War, details how Conficker was discovered, how it works, and the ongoing programming battle to bring down the Conficker worm, which he says could have widespread consequences if used nefariously.

"If you were to launch with a botnet that has 10 million computers in it — launch a denial of service attack — you could launch a large enough attack that it would not just overwhelm the target of the attack, but the root servers of the Internet itself, and could crash the entire Internet," he says. "What frightens security folks, and increasingly government and Pentagon officials, is that a botnet of that size could also be used as a weapon."

When Russia launched its attack on Georgia in 2008, Russian officials also took down communication lines and the Internet within Georgia. Egypt also took down its own country's Internet service during the uprisings last spring.

"It's the equivalent of shutting down the train system during the Civil War, where the Union troops and the Confederate troops used trains to shuttle arms and ammunition and supplies all over their area of control," says Bowden. "And if you could shut their trains down, you cripple their ability to function. Similarly, you could do that today by taking down the Internet."

The Conficker worm can also be used to steal things like your passwords and codes for any accounts you use online. Officials in Ukraine recently arrested a group of people who were leasing a portion of the Conficker worm's computers to drain millions of dollars from bank accounts in the United States.

"It raises the question of whether creating or maintaining a botnet is a criminal activity, because if I break into a safe at the bank using a Black & Decker drill, is Black & Decker culpable for the way I use the tool?" he says. "That's one of the tools you could use the botnet for. With a botnet of 25,000 computers, you could break the security codes for Amazon.com, you could raid people's accounts, you could get Social Security numbers and data — there's almost no commercial security system in place that couldn't be breached by a supercomputer of tens of thousands."

After Conficker was discovered in 2008 at Stanford, it prompted computer security experts from around the world to get together to try to stop the bot. The volunteer group of experts, which called itself the Conficker Working Group, also tried to get the government involved with their efforts. But they soon discovered that the government didn't have a very good understanding of what the worm could do.

"[They] began reaching out to the NSA [National Security Agency] and [the Pentagon] to see if they would be willing to loan their computers [to help them], and what [they] discovered was that no one in the government understood what was happening," says Bowden. "There was a very low level of cyberintelligence, even at agencies that ought to have been very seriously involved, who were responsible for protecting the country, its electrical grid, its telecommunications. These agencies lacked the sophistication not only to deal with Conficker, but even to understand what Conficker was."

At some point in early 2009, the Conficker Working Group learned that the Conficker worm could wreak havoc on April 1, 2009 — a date when the computers infected by Conficker would receive instructions from their remote-controlled operator.

"The assumption was that if Conficker was to do anything, that would be the day that it would be destructive to the Internet," says Bowden. "But on April 1, nothing happened."

The Conficker Working Group realized that the creator of Conficker had little interest in taking down the Internet or using its bot to create mass destruction.

"The people behind it apparently want to use it for criminal reasons — to make money," says Bowden.

But that doesn't mean that Conficker is controlled, says Bowden. No one knows yet who controls the worm or what its intentions might be.

"At any moment, Conficker could do something really threatening," he says. "[People fighting the bot] are trying to figure it out still. And every new day, as the worm makes its contacts, they generate long lists of computers that are infected — which still include big networks within the FBI, within the Pentagon, within large corporations. So they monitor it and keep track of where it's spread, and they're still working with the government to secure vital computer networks from botnets like Conficker."

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

Transcript

TERRY GROSS, host: This is FRESH AIR. I'm Terry Gross. Remember when hackers were just a nuisance? Today there are computer hackers operating large criminal networks. There are hackers attacking government networks. Everything from the Pentagon to the banking system and the electrical grid are vulnerable to hacker attacks.

You probably knew that. You may not have known that your computer can be, in fact might already be, infected with a worm that could command your computer to be used in such an attack. My guest, Mark Bowden, is about to explain how. He's the author of the new book "Worm: The First Digital World War." He's also the author of "Black Hawk Down" and is a national correspondent for The Atlantic.

His new book "Worm" focuses on the Conficker worm. Since it was unleashed in 2008, it has infected 10 to 12 million computers around the world. The book is also about the small network of cybersecurity geniuses who organized to thwart Conficker and investigate who was behind it. A new version of Conficker was expected to activate on April Fool's Day of 2009. Some experts predicted it would be doomsday for the Internet. It wasn't.

Mark Bowden, welcome back to FRESH AIR.

MARK BOWDEN: Thank you, Terry.

GROSS: So should I use the present tense or past tense when we're talking about Conficker? Is it still out there?

BOWDEN: It's still very much alive.

GROSS: That's not good news, right?

BOWDEN: No, it's not. You know, the good news is that even though it's very much alive, the creators of it have chosen not to use it to destroy the Internet, which they could. I think it serves their ends. They're trying to make money with it, I suspect. And so they need the Internet.

But the potential of the botnet is still out there, and it's still very, very dangerous.

GROSS: What were some of the worst-case scenarios that the group trying to stop this worm...

BOWDEN: Worst-case scenario would be taking down the Internet itself. If you were to launch with a botnet that has 10 million computers in it, launch say a denial-of-service attack...

GROSS: And we'll explain what all this means in a second, if you don't already know.

BOWDEN: I mean, you could launch a large enough attack that it would overwhelm not just the target of the attack but the servers, the root servers - there are 13 of them - of the Internet itself, and you could crash the Internet.

GROSS: But so, if the Conficker worm shut down the Internet, does that mean destroy the Internet or disable it for, you know, a brief amount of time?

BOWDEN: It would disable it for a significant amount of time. But they would eventually, I think, get it back up and running. But even a brief interruption in the Internet could be - well, would lead to loss of life. Things like air traffic control systems, which rely on the Internet, medical, you know, communications, a lot of medical machinery and computers rely on the Internet. Increasingly our society leans more and more heavily on the Internet every year, and yet it remains an extraordinarily fragile tool.

GROSS: This would include, like, the electric grid?

BOWDEN: The electric grid, telecommunications. You would lose all ability to telephone anybody, to get text messages, to send emails. It would be hugely inconvenient, but beyond inconvenience, for some vital industries - like the, say the electric grid, it would disrupt electrical service all over the country. Traffic lights in major cities would stop functioning correctly or would go dark.

GROSS: Just so we all have a little background before we move on and talk more about Conficker, Conficker is a worm, it's not a virus. What's the difference?

BOWDEN: Well, they're both malware, and malware is any software that gets inside your computer and begins to operate without your permission. A virus is something that spreads from computer to computer, traditionally by somebody opening an email or an attachment. You're lured into opening it with tricks.

A worm doesn't need any help from you, as the computer user, at all. It finds its own way into your computer, into the central operating system, and does what it does.

GROSS: And then it can check in with the mother computer for directions...

BOWDEN: Exactly.

GROSS: ...and actually do something that it's ordered to do by the mother computer. And the mother computer can order all of the computers under its control to do something at the same time.

BOWDEN: That's right. That's a botnet, and, you know, the worms that - what worms are very good at is creating botnets because the users of computers that have been infected by it are not even aware, for the most part, that their computer is infected. And what that worm does, what Conficker does, is penetrate the kernel, the core of the operation system of the computer and essentially turn over control of your computer to a remote controller.

And, you know, that's the creator of the worm, and no one knows who that is, probably someone in the Ukraine, who could then utilize all of these computers, including yours, that are connected to - it forms essentially a supercomputer.

There's two ways you can have a supercomputer. You could either build one the size of a room, or you could find a way to link 25,000, 200,000 or, in the case of Conficker, 10 to 12 million, and you have effectively, you know, the largest, most powerful computer in the world.

GROSS: Okay, so Conficker got into 10 to 12 million computers, and nobody really knows why. What is the ambition?

BOWDEN: Well, you can surmise, because it's been around now since 2008, roughly what its ambitions are, and it's probably to steal. Probably its main ambition is to make money, and so in order to do that, and there's lots of different ways you make money with botnets, it has to - it needs the Internet. I mean, that's the avenue that it uses.

What frightens security folks in the computer industry and increasingly government officials and Pentagon officials is that a botnet of that size could also be used as a weapon, and increasingly we're seeing nation-states launch cyberattacks. So we are in a world now where we have to start thinking, we should have started thinking a long time ago, but we need to start thinking really seriously about how to protect this electronic infrastructure.

GROSS: If it was used as a weapon, what kind of weapon? What would it do?

BOWDEN: What it would do is it would shut down communications, and it's very effective, say for instance, when Russia launched its attack on Georgia. They took down telecommunications and Internet in Georgia with a cyberattack. That meant that any military operation that required telecommunications to coordinate, it meant everybody increasingly - companies, militaries, government - everybody relies on rapid, instant communications through the Internet.

And if you take that away, it's the equivalent of shutting down the train system during the Civil War, where, you know, the Union troops and the Confederate troops used trains to shuttle arms and troops and ammunition and supplies all over, you know, their area of control. They used trains, and if you could shut their trains down, you crippled their ability to function. And similarly, you could do that today by taking down the Internet.

GROSS: So if this botnet is being used to make money, how?

BOWDEN: Well, the simplest way it could be used to make money is to steal your private information, your passwords and codes for your bank accounts, if you do any banking online. I do. You know, I have credit cards, and I pay them online. If I have a bank account that I control online, and someone could tap into my computer and get my passwords and whatnot, they could drain my bank account.

Just recently they arrested a small group in the Ukraine who were using the Conficker botnet to drain bank accounts in the United States. They stole $72 million overnight from bank accounts all over the country.

GROSS: You mean like a renegade tapped into the Conficker botnet and was able to harness it for their own purpose?

BOWDEN: No, they probably leased a piece of the botnet.

GROSS: Oh, oh, oh. I see.

BOWDEN: See, people who own and control these botnets, they sell and lease them online. You could go online, and you could buy or borrow a piece of a botnet like Conficker and use it for whatever purpose you want to use. And that's interesting because...

GROSS: That is really nefarious.

BOWDEN: It is, you know, but it raises the question of whether creating and operating a botnet is a criminal activity because, I mean, if I break into a safe at the local bank using a Black and Decker drill, is Black and Decker culpable for the way I use the tool? I mean, that's one of the tools that you can use a botnet for.

You could lease - say you leased - with a botnet of like - or a piece of a botnet of about 25,000 computers, you could break the security codes for amazon.com. You could raid people's accounts. You could get Social Security numbers and data. There's almost no commercial security system in place that couldn't be breached by a supercomputer of, you know, tens of thousands, and as I said, the Conficker one is millions and millions.

(BREAK)

GROSS: My guest is Mark Bowden, and his new book is called "Worm: The First Digital World War," and it's about the Conficker worm - how it was discovered, how people tried to stop it, and it's a great detective story, as well as a lot of fascinating information about how these worms work. And Mark Bowden is best known for his book "Black Hawk Down," which was adapted into the film.

How was Conficker first spotted?

BOWDEN: It was initially spotted by computer security folks at Stanford Research Institute, at various other antivirus companies and big labs. And these major security - whether they're academic or commercial, you know, security studies is a big part of what they do. So, in my book, I write about Phil Porras, who is a top-notch security - computer security guy out at SRI in Menlo Park, California.

And he has what's called a honeynet, which is a - basically it's a collection of virtual computers that imitates a network, and it exists for the sole purpose of snaring malware. So whatever kind of malware is launched out on the Internet, it will - because he has a very large surface area of the Internet to observe - it'll eventually land in his honeynet.

And he has a screen on his desk which records and logs every new piece of malware that drops into his honeynet, and on a given day, he might get, you know, 100 to 200 new strains or - new strains of malware, most of which are instantly recognizable to him. They've been around for a while, people understand, and they're really no big threat.

But when Conficker appeared, you know, one of the readouts on his monitor told him this was a piece of malware that was not recognized by anyone, and so it was brand new, and that got his attention. And at the same time that was happening with Phil, that was happening at various other labs and companies around the world that pay close attention to this kind of thing.

GROSS: So several of these experts from around the world, Internet experts, internet security experts, got together to try to stop Conficker and also to try to figure out what Conficker was. How did this group get organized?

BOWDEN: Well, in a sense, they're already organized, in that these are guys who - and they're almost all men; there were very few women involved at any level, which is kind of an interesting cultural thing, I think - but they live and work in a kind of a virtual environment. Phil Porras has a little office out in Menlo Park, and he has an array of three computer screens on his desk. All these guys have three monitors, you know, on their desks.

And they're in constant communications with others in their field because, you know, they do computer security work. It's an international phenomenon, and they rely upon sort of group brainpower to brainstorm when something pops up that they're not used to.

So a lot of these folks knew each other and have known each other for years. Many times, they've never actually met in person, but they've been working together online for years and years.

GROSS: So they got together and they did this, volunteer basis, no pay, no budget.

BOWDEN: Right.

GROSS: But personal credit cards.

BOWDEN: Yes, in one case, Rick Wesson, who is one of the founders of this little group, realized that the way the - the only way they could really begin to stop the Conficker worm was to shut down the connection it made with its remote controller. And in order to do that, you had to basically anticipate all of the different avenues it would use to contact its remote controller.

And each of those avenues was a Web address, and in order to get a Web address, you have to pay money for it. You go to an IP, Internet service provider, ISP, and you purchase a website. If it's Fresh Air, they would have - you have a website, I'm sure, and you pay an Internet service provider a fee in order to maintain and to give you sole rights to that website.

So what Rick was doing was anticipating, because they were able to turn the clock on the worm forward, he could see what websites - and these were just series of numbers, for the most part randomly generated - but he knew where it would have to call. So if you could get to those places first and buy them up and own them, you could build a wall around it, essentially.

But it costs money. So he had to pull his own credit card out, and he had to pay for each one of the websites that they intercepted.

GROSS: So did he have to come up with the same algorithm that Conficker was using to generate website addresses?

BOWDEN: Well, that's the work that was done at SRI International. Phil Porras and his staff, when they discovered this new strain, they went to work trying to dissect it, which is a story in itself. It was a very cunningly crafted piece of software designed to avoid being decrypted, basically. But they have highly capable computer scientists on their staff who were able to crack Conficker's code.

And one of the things that it - one of its main tools was this algorithm that generated all these Web addresses it needed to try and contact in order to - and behind one of those doors would be the remote controller.

Basically all the worm is when it infests your computer is just an infection machine. It doesn't have any function to perform. It's designed to infect your machine and then to send out a message to its remote controller that says OK, I'm here, and I'm ready, right.

And unless it receives an instruction, it doesn't serve any purpose at all, but what it does on a regular basis is send out this message saying I'm here, what do you want me to do? Now, that message has to go somewhere. So traditionally the way you shut down a botnet is you figure out where are all those messages going? Let's get to that place and shut that place down, which would mean shutting down the Web address where those messages are being sent.

GROSS: Shutting down one of the mother computers.

BOWDEN: Right, and then what you would do then is effectively you cut the botnet's head off. It no longer can communicate with its controller. So what Conficker did was it generated initially 250 different Web addresses every day, and so every day, it would send that little message - hi, I'm here, tell me what to do - to all 250 of those randomly generated Web addresses.

Behind one of those doors was the remote operator. If you know which one of those 250 doors the remote operator is behind, well, fine, then you don't have to shut down all 250 doors, you just shut down the right door. But there's no way to know. So you do have to shut down all 250 doors every single day in order to prevent the worm from making contact with its controller.

GROSS: So what the people fighting Conficker did was tried to come up with an algorithm that would also generate as many domain addresses as the Conficker people were generating. And what was the point of that?

BOWDEN: Well, what they did was, they were able to turn the clock forward on the Conficker worm. So they knew in advance which 250 websites it was going to try to contact the next day, next week. And given any day in the future they could set the clock forward, and they would know, OK, you know, a month from today, these are the 250 Web addresses that that worm is going to generate. So it's going to try to knock on those particular 250 doors.

That gave them time to get out in front of it. Then if you know that - where it's going to be, you know, trying to make contact next week, you could shut down all 250 doors on that day next week, and it can't...

GROSS: So they could shut those doors.

BOWDEN: They did. Rick Wesson dipped into his own bank account and purchased - began purchasing all 250 domains for every single day, and as you turn Conficker forward, it regenerates a new list every day. So every day, you had to tie up a new 250 doors. And that gets to be pretty expensive over a fairly - it doesn't cost that much to buy up a website, but when you're doing 250 new ones every day forever, it mounts up.

GROSS: When the Conficker worm was first identified, and this group of volunteer Internet experts started following it, they figured out a lot about it, and then there was a new strain that was introduced, a Conficker B strain. What edge did B have over A?

BOWDEN: Well, most simply, you know, when Rick Wesson, who is a wonderfully sort of puckish, brilliant character who is, you know, an Internet entrepreneur, you know, computer scientist, when he devised this strategy of corralling the initial strain of Conficker, whoever is behind Conficker basically one-upped him.

If Rick figured out a way to shut down in advance 250 potential websites that the worm would contact, the next strain of the worm would generate 2,500 - I don't remember exactly anymore what the number was - but it upped the ante. Not only the number of websites that it could potentially contact went up exponentially, but also the number of top-level domains that were involved, that were included in those numbers, went up.

So basically they just gave Rick a much bigger job to do. They said OK, you can corral 250 a day under, you know, three or four top-level domains. Try 2,500 a day and five top-level domains. So it cost him more both in money, time, energy. And they knew, I think, the people behind the worm understood the nature of the antivirus industry in the world and that is that it was unfunded, it was volunteer, and so I think they're pushing the limit to see how far are you willing to go out of the goodness of your heart to stop us from doing this.

They were kind of daring them, and that was a new thing in the antivirus world. You know, they were used to figuring out a worm and shutting it down. Now they had one that was adapting as the process went forward. So they would figure out a way to kill it, and it would say OK, try this, and they would keep the worm alive by making adjustments to frustrate the people trying to stop them.

(BREAK)

GROSS: You say it's possible that the person or people who came up with Conficker are in the Ukraine. What makes experts think that?

BOWDEN: One of the first unique functions of the worm as it invaded a computer was to check and see what language was being used on the keyboard. And if the language that the computer was set up to function with was Ukrainian, it would destroy itself. It wouldn't invade that computer. So that led the security specialists to believe that whoever is behind this must be in the Ukraine. In the Ukraine, interesting...

GROSS: I don't understand.

BOWDEN: Well, every computer user when they sit in front of the keyboard and type in words are speaking a language. We, you know, you and I would use English, if you're French you're using French. There is actually Ukrainian software for people who speak Ukrainian. So the worm would check the computer to see if this was utilizing a Ukrainian keyboard. If it was using a Ukrainian keyboard it wouldn't infect that computer, it would just self-destruct. So the reason behind that would be in the Ukraine it's not against the law to steal money from an American bank account. It would be against the law if you're stealing money from a Ukrainian citizen, so they were making an effort, whoever was behind it, to avoid breaking the law in the Ukraine and that's the main reason why they believed that it came from there.

The second reason was that the initial launching point for Conficker was from Argentina, but there's a very large Ukrainian community, interestingly, in Argentina, and the IP address was from a network that is part of the Ukrainian community there.

GROSS: Why is it so difficult to track down who's behind Conficker? I mean, you write about how tightly encrypted things are now. How it would take - do I have this right? It would take like all the computers in the world? Like...

BOWDEN: It would take one of the most powerful computers in the world to crack the code. They use the highest level public encryption method known to man.

GROSS: And that's hard to crack.

BOWDEN: Very hard, the reason - I mean, the way encryption works nowadays is it used to be, you know, a code was so clever that a human being would have a really hard time figuring it out and cracking it. Now any code is crackable because basically a computer can be programmed to try every single possibility even if that means, you know, the highest numbers you can conceive of, until they find the one that works. But in order to do that kind of brute force calculation that it takes to crack the highest level codes, you would need the most powerful computer in the world or one of the largest botnets in the world, which is in effect a supercomputer, in order to crack that code.

GROSS: So you have this worm that is very effective in infecting millions of computers. You have this group of independent computer Internet experts from around the world trying to stop the Conficker worm. And at some point they think well, where is the government? The government is vulnerable because of this worm. It's so powerful, it's so smart. Where's the government? Where are their military computers that can be helping solve the mystery here? So the people from this independent group that's gotten together to try to stop Conficker try to get the government or the military involved and what happens?

BOWDEN: Well what they - initially they, you know, begin contacting agencies. But the first thing was Rick Wesson, when he realized how sophisticated the opponent was, knew that the only way that they could crack the code that Conficker used to communicate with its remote controller was with the largest computer in the world. Because they were utilizing the highest level known to mankind, you know, of encryption for their communications. And so the only way to really break that encryption is to get a computer like something like the NSA would have or the Pentagon. And so he began, you know, reaching out to them to see if they would, you know, be willing to loan their computer for this function.

And what he discovered - and as they went forward, they made many other efforts to involve government in this - was that no one in the government understood what was happening. That there was no, there was a very low level of cyber intelligence even at agencies that ought to have been very seriously involved, who were responsible for protecting the country, for protecting its electrical grid, for protecting its telecommunications. You know, these government agencies lacked the sophistication, not only the sophistication to deal with Conficker, but even to understand what Conficker was and what was actually happening.

They would get - they would invite people from various government agencies, including the Computer Emergency Readiness Team within the Department of Commerce, which exists specifically to protect the nation's computer networks, and these folks would say yeah, we'd love to be a part of your working group, but they never contributed anything. You have daily conversations going on between all these computer security experts in the Cabal, which is what they called themselves, trying to address the newest wrinkle, you know, with Conficker and there was never any input from anyone from government. So they at first thought well, agencies like the FBI, like the NA, like the Pentagon, they have national secrets to protect, they can't reveal their methods, they can't reveal their tactics.

And even, you know, these guys doing this believed that within the government there must be people who had their same level of skills and, you know, who really knew how to do this stuff. But after a while - and there's a chapter in the book where I describe, you know, the sort of the veil falling for the - or the curtain being pulled aside and there's no wizard of Oz, there's just a little guy pulling strings, they realized that the reason they weren't hearing anything from the government is that none of these folks really understood what was going on.

GROSS: So no help from the government?

BOWDEN: Absolutely none.

GROSS: At some point the Cabal, the group of the independent Internet security experts that were working to stop the Conficker worm, figured out the date that the computers were supposed to - the infected computers were supposed to report to the mother computer and get instructions.

BOWDEN: Right.

GROSS: What was the date?

BOWDEN: April 1st of 2009, April Fools' Day. And that date was significant because a new strain of Conficker had appeared that was like the mother of all Conficker strains. It was at this point contacting 50,000 domains a day. It included now every single top-level country domain in the world. So in order for them to shut down Conficker at that point they would have to get the cooperation of all, of every country-run top-level domain in the world, which they did in advance of April 1st. But the assumption was if Conficker had updated itself that significantly to make itself invulnerable, and that it was going to activate on April 1st, that would be the day, you know, if it was ever going to do anything really destructive to the Internet, that the order would be issued.

Because once this new strain kicked into gear there would be a learning curve and presumably, eventually, they would be able to get every country in the world on board and they would eventually be able to shut it down. So the remote operator of the botnet had a window that began on April 1st where they could really use it in a destructive way if they chose to. And so there was a great deal of concern within this community that something might happen. And, of course, that concern - they're still trying to get the government interested so they're calling reporters like John Markoff at The New York Times and Brian Krebs at The Washington Post who are experts in this and they're getting them to write about it.

And then, of course, TV stations pick up on the coverage in The New York Times and The Washington Post and it spins into this big story, you know, that the Internet is going to crash on April 1st, that, you know, they called it "cybergeddon" was going to happen. And none of the people in the Cabal actually believed that necessarily this was going to happen April 1st, just the potential would be there beginning on April 1st. And so what happened was a great sort of public relations disaster. The whole world tuned in waiting and then, of course, nothing happened because the user of this botnet apparently has little interest in taking down the Internet or using it in a destructive way. The people behind it apparently want to use it for criminal reasons.

GROSS: To make money.

BOWDEN: To make money.

GROSS: Lease it out and make money.

BOWDEN: Right.

(BREAK)

GROSS: So moral of the story. What does the story about Conficker and the people trying to stop it tell us about our vulnerability as individuals and as a nation?

BOWDEN: Well, I think it tells us that we place a whole lot of trust in, and increasingly place more and more trust in an electronic tool that is very vulnerable to destruction or attack. And the reason for that is that the people who created it were motivated by this sort of utopian vision of sharing information freely and how it would empower people all over the world. But they failed to take into consideration that there are evil people in the world or people who would use this tool, as every tool in history has been used, to - for harm as opposed to for good.

GROSS: So is there any way I can tell whether my computers have been infected by the Conficker worm?

BOWDEN: Yes. If you go to the Conficker Working Group's website or to any of the antivirus company websites, there's a little diagnostic tool that they can give you that will tell you whether or not your system is connected to the botnet. If you have a Mac it's probably not. If you - because it attacks the Windows operating system. But the bottom line, Terry, is that it doesn't really - it shouldn't really matter that much to you, you know, whether your computer has been infected, because the worm doesn't want to do anything. It's not going to harm your computer. It's not going to borrow so much of your computer that you'll even notice that it's there. It wants to use your computer, so it needs your computer to be healthy.

I guess the one reason that would be useful, and this is more in the area of people whose job it is to protect the security of networks of computers, is that they want to make sure their network is not infected. Because one of the first things that Conficker does is shut down the ability of that computer to receive security updates. So you aren't getting, if you're infected with Conficker, you aren't getting the most recent patches and software updates dealing with security that come from Microsoft. So it might be worth your while if you have a Windows operating system on your computer to check with, if you just Google "Conficker Working Group" you'll come up with the website, and they advertise - they'll for free download a little diagnostic tool.

GROSS: So do any of the antiviral softwares now actually protect against being infected by Conficker?

BOWDEN: Yes. I mean...

GROSS: Do they know the code well enough that they can do that?

BOWDEN: Well, this is actually a really interesting kind of catch-22 in this story. Microsoft actually anticipated Conficker. The security engineers at Microsoft realized that they had a vulnerability in their operating system that could be exploited by a remote operator to establish a botnet under his control back in the summer of 2008, four or five months before Conficker actually appeared. And so they issued a patch. So if you were a Windows - if you had a Windows operating system, you would get the security update from Microsoft. And if you downloaded it, your computer was protected from Conficker, or any other worm of that type.

The problem is that most people don't faithfully execute their security updates. And most Windows operating systems are on computers around the world that are pirated or borrowed or copied that aren't officially registered, so that when Microsoft issues its patch it only reaches a fairly small percentage of the operating systems of the computers in the world that run Windows. So what happens is when they issue a patch, which they did in, I believe it was in the fall of 2008, it effectively advertises a vulnerability to the rest of the world. It's says, hey, we're vulnerable here.

GROSS: Oh. Oh. Oh.

BOWDEN: And any computer that doesn't have this patch is going to be - you can - here's - and it not only informs, you know, the miscreants out there that this vulnerability exists, it effectively tells them how to exploit it. And so after the patch was issued for the vulnerability, a whole new strain of malware appears to take advantage of it. And Conficker arguably was - the function was created - I mean, timeline-wise, it was created after Microsoft had patched the hole.

GROSS: Oh. So maybe Conficker found out about it through the patch.

BOWDEN: Without a doubt. I think that what happens is once - Patch Tuesday is the first Tuesday of every month, and Microsoft issues its security updates. And this actually was such an urgent update, they issued it out of sequence. They didn't even wait for Patch Tuesday. So it effectively is like putting a great billboard in the sky that everyone in the world can see that says: Microsoft is vulnerable at this port. Here's how you attack it. And the various, you know, black industries that create malware get to work. Oh, well, we're going to exploit this.

GROSS: So the lesson to us good guys is download your antiviral software and the patches.

BOWDEN: Right. Exactly.

GROSS: Right.

BOWDEN: It's serious business. And it even - and again, it's not so much anymore to protect your computer from being invaded and harmed. It's a social responsibility, in the same way getting vaccinated is a social responsibility...

GROSS: Or sexually transmitted diseases.

(SOUNDBITE OF LAUGHTER)

BOWDEN: Well, I mean, if everybody would do it, we would all be safe. We would all be secure. But...

GROSS: Yeah. Yeah. Yeah.

BOWDEN: You know, you can't make people do things. And, you know, one argument about making computer networks secure is that once you discover a vulnerability, the capability exists to go into every computer that uses Windows through the Internet, go in and automatically, you know, patch the holes and things. But people would get very nervous about the idea of Microsoft or the government, you know, being able to invade the innards of their personal computer for whatever reason. So there are laws against that.

GROSS: Right. You were saying if your computer is infected by the computer worm, you don't really have to worry about what it's going to do to your computer. It wants to use your computer, not damage your computer. But it could use - the people behind Conficker could use it, right, to get your passwords to get private information. So in that sense you kind of do have to worry, don't you?

BOWDEN: Yes, you're exactly right. I think you ought to be concerned. And so it's worthwhile, you know, Googling "Conficker Working Group" and looking for the diagnostic tool, and it wouldn't cost anything. I mean, you could download it. You could find out whether you have it, and Conficker Working Group will send you software that will rid your computer of it, if you wish.

GROSS: I feel like I've been living with blinders on. You know, I used - I'm so attached to my several computers and...

(SOUNDBITE OF LAUGHTER)

GROSS: ...and I'm feeling so vulnerable right now, because I - I'm - you know, I don't always update things. I don't understand a lot of this stuff. And when I think of all the things that can be done to my computers or that my computers could be used to do, it's scary.

BOWDEN: It is scary. I mean, there's a quote, actually, on the cover of the book from Paul Vixie. He was one of the founders of the Internet. He says, in essence, he's so aware of the threat to the Internet posed by, you know, these botnets, that if he let himself think about it for too long, he wouldn't be able to function on the daily basis. And so he just kind of deliberately puts it out of his mind so that he can go ahead. So, I mean, I do think that when you're aware, you do take precautions to protect your computer, not just for yourself, but for the good of all of us. And also, I think there's a real lesson here for government - which I believe government has learned since Conficker - that they need to be active players in this game.

GROSS: My guest is Mark Bowden, author of the new book "Worm: The First Digital World War." He'll be back after a break. If you want to see if your computer has been infected by the Conficker worm, go to our website, where you'll find a link to the Conficker Working Groups test. That's freshair.npr.org. This is FRESH AIR.

(BREAK)

GROSS: So Conficker went after the Microsoft operating system. It attacked Microsoft computers, not Macs. Some people think that Macs are less vulnerable to viruses and worms that Microsoft computers are, Microsoft operating systems are. Is there something inherently different about Apple's protection than Microsoft's protection? Or is it just that Microsoft - that more people have Microsoft computers, therefore more malware is designed to go after Microsoft?

BOWDEN: It's just because Microsoft is so much bigger. And, you know, and as I said, even apart from the numbers of operating systems that they sell, that they market and sell, there are large parts of the world - in China, in particular - where literally hundreds of millions of people use it who have never paid for it. They just buy pirated versions of it. So it is the de facto operating system for the vast majority of computers in the world. Why would you design, you know, a botnet that would only attack, you know, a small corner of the Internet?

GROSS: So how have you changed your computer hygiene since writing this book?

BOWDEN: Well, I have a Mac. And so I haven't worried about it too much. But I am very dutiful about security updates. My - I have my computer set up to automatically update itself every time any kind of security thing comes along. I've also learned a lot more about, you know, how to, well, how computer works, what's going on with this thing, which has been useful from time to time. If I have software that's hanging up or something like that, I can figure out how to, you know, get rid of it and reinstall it. And I just have - I've become a little bit more of a skilled computer user.

GROSS: So is this an argument against using online banking?

BOWDEN: No, I don't think so, because the chances of you being victimized are still relatively small. It would take a fairly sophisticated operation to break into Bank of America or, you know...

GROSS: But there are very sophisticated operations out there.

(SOUNDBITE OF LAUGHTER)

BOWDEN: There are, and it can happen and it does happen. But, I mean, banks get robbed, too. And I think, you know, bank accounts are insured, so I don't really think you need to worry too much yet. I think, you know, for me and for these computer security people, what worries them more is the potential use of malware as a weapon. And I think that we saw in the, you know, Stuxnet, which either the United States or Israel or both designed malware that attacked the computer network that was running the uranium enrichment program in Iran, which everybody wants - in the Western world wants to try and stop, and very cleverly instructed those computers to send Iran's centrifuges spinning out of control and set back their enrichment effort by a year or two, at least.

So this gladdened the hearts of the Western world. But what it demonstrated was the vulnerability of computer networks. And I don't know for a fact, but they may well have leased part of the Conficker botnet in order to go after these computers in Iran. We don't know the exact mechanism, but that's how such things get done. I mean, you can go to a botnet like Conficker, and you can shop for a network that you want to target. And that's really the way malware is - that's where malware is going now.

Instead of creating these huge scam operations that are worldwide, you have very sophisticated either nation-states or criminal gangs who are targeting very specific things and crafting software to go after them. And the reason that botnets are useful to them is because they can get a catalog of vulnerable computers within the FBI, within the Pentagon, within, you know, Bank of America, within NPR. And they can - they know they can get at those computers with the software that they've designed.

GROSS: Yikes.

(SOUNDBITE OF LAUGHTER)

GROSS: So the United States recently changed its cyber policy to recognize a cyber attack basically as an act of war, the equivalent of being bombed.

BOWDEN: Just this year. Yeah.

GROSS: Yeah. So what's the policy now?

BOWDEN: Well, the policy is that the Pentagon realizes that any enemy in the world today that we go to war against is going to come after us with cyber weapons, and that we need to, number one, secure our vital networks from attack. And number two, we need to be able to do the same thing to them. And we also need to be able to recognize attacks when they're occurring, figure out ways of stopping them. The cyber command was just established last year at NSA at Fort Meade. Now, I mean, this is a year or so after Conficker was created.

The government has also set up a very interesting sort of public-private partnership in cybersecurity out at Carnegie Mellon University in Pittsburgh, where industry experts like the ones - and, in fact, in some cases the actual folks that I wrote about in "Worm" - are working alongside the FBI agents to not only protect networks, but to find the people behind them and arrest them. And they were responsible for rounding up this group just recently in Europe. So President Obama, the month after he took office, gave a speech essentially acknowledging that the United States was vulnerable to cyber attack, and cited specifically the Conficker worm as an illustration of how ill-prepared we were as a country to deal with this.

And so I think the government is more aware, and they've hired some of the folks that worked on the Conficker worm, were part of the Conficker Working Group. So they're learning fast, and we're getting better at it. But back in 2000 - and as recently as 2008, 2009 - the Internet was just sort of wide open.

GROSS: Well, Mark Bowden, thank you so much for talking with us.

BOWDEN: You're welcome. My pleasure.

GROSS: Mark Bowden is the author of the new book "Worm: The First Digital World War." You can read an excerpt on our website, freshair.npr.org, where you can also download podcasts of our show. Transcript provided by NPR, Copyright NPR.